eBay argued against stronger privacy breach penalties

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/ebay-argued-against-stronger-privacy-breach-penalties-7000029755/

As eBay hastily informs its customers of its massive privacy breach, the
company told the Australian Law Reform Commission that stopping reputation
damage was enough of an incentive to protect customer data, and that
statutory action against privacy breaches was unnecessary.

Overnight, eBay
announced<http://www.zdnet.com/ebay-change-your-passwords-due-to-cyberattack-7000029725/#ftag=RSSbaffb68>
that
it had been the victim of a "cyberattack" that saw its employee login
credentials compromised between late February and early March, allowing
access to eBay's corporate network, and the company's customer database
containing its users' names, email addresses, physical addresses, date of
births, and their encrypted passwords. eBay first became aware of the issue
around two weeks ago.

The company today has begun asking its users to reset their passwords, but
has said that there was no evidence at this time that there had beeen
fraudulent account activity on eBay, however the information that could be
obtained from the database could potential be used for identity fraud.

While eBay will be dealing with the ramifications of the breach over the
coming weeks and months, the online retailer has argued strongly against
statutory penalties being imposed on companies that breach their customers'
privacy.

The Australian Law Reform Commission was tasked last year to review serious
invasions of privacy in the digital era, and potential statutory causes of
action against companies or individuals in cases of privacy breaches.

In a submission
(PDF)<http://www.alrc.gov.au/sites/default/files/subs/35._org_ebay_and_paypal.pdf>
to
the inquiry, eBay's acting head of corporate affairs Sassoon Grigorian said
that given the company's own approach to privacy, such an action "need not
be considered at this point".

"Over the years, we have learnt that one of the keys to success is
engendering consumer trust and confidence. Confidence is in great part
built through consumers trusting that businesses will adhere to certain
rules for protecting individual privacy; both those rules required by
statutory principle and those followed by sound business practices. Trust
in our privacy protections has enabled eBay to be successful in growing our
businesses," Grigorian said in a submission in November.

"eBay Inc. recognises the responsibilities which come with handling the
personal and private information of both individuals and organisations,
requires all of its companies to adhere to strict standards of behaviour.
We have sought to be a leader in the field of handling personal
information."

Grigorian said that eBay has corporate rules in place to "adequately
protect our users' personal information regardless of where the data
resides."

Customers should be notified when there is serious risk of identity theft
or fraud for financial gain, Grigorian said, but added that notification
should not be required where potential harm is "nominal".

Today eBay said that the two-week delay in informing customers was a result
of the company waiting until it had all the facts.

In its submission to the ALRC, the company said existing penalties in the
Australian Privacy Act were sufficient to cover serious data breaches, and
the reputational loss was "the most significant incentive" for
organisations to prevent breaches.

Comment has been sought from eBay.

Following news publication of the privacy breach, users have reported
difficulty accessing their password reset page due to the high traffic on
the eBay website as a result of the breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!